BIND 9 Update fixing CVE-2013-3919

Published: 2013-06-05
Last Updated: 2013-06-05 22:00:12 UTC
by Richard Porter (Version: 1)
2 comment(s)
Today BIND9 recevied an update fixing a "recursive resolver with a RUNTIME_CHECK error in resolver.c" [1] Affected versions are BIND 9.6-ESV-R9, 9.8.5, and 9.9.3. The rated CVSS on this one is 7.8 [1,2]
 
To quote isc.org:
 
"At the time of this advisory no intentional exploitation of this bug has been observed in the wild. However, the existence of the issue has been disclosed on an open mailing list with enough accompanying detail to reverse engineer an attack and ISC is therefore treating this as a Type II (publicly disclosed) vulnerability, in accordance with our Phased Disclosure Process."
 
It it is time to review those BIND9 servers and start the process of patching.
 
[1] https://kb.isc.org/article/AA-00967
[2] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Richard Porter

--- ISC Handler on Duty

Keywords: bind9 ddos dns dos patch
2 comment(s)

Comments

We've seen a dramatic up tick in Bind/DNS version attempts. They usually come from the same IP addresses, repeatedly. This has been going on for about the last 3-4 days. Any one else seeing similar traffic? I'm wondering if it is related.
Beave! I just came here looking for hints about the same thing:
21x from 117.135.144.125
20x from 222.186.26.115
19x from 60.28.246.143

Since DNS is a stateless protocol, wouldn't it be easier to just try an exploit than to do a version check first?

I can't imagine CVE-2013-3919 (a mere DoS) being all that interesting to someone doing widespread scans - you would usually have specific target for that - so maybe this relates to something older?

Diary Archives